Spoofing
Spoofing is a class of cyber attack in which an attacker disguises themselves, a device, or a communication as a trusted source in order to deceive a victim or bypass security controls.
Spoofing is the "S" in the [STRIDE] threat model.
The impersonation can target many layers of a system:
- IP spoofing forges the source address in network packets to impersonate a trusted host or obscure the attacker’s origin;
- email spoofing falsifies the sender address to make a message appear to originate from a legitimate contact or organization, a technique central to [phishing] attacks;
- DNS spoofing (or cache poisoning) corrupts DNS records to redirect traffic intended for a legitimate domain to a malicious server;
- and ARP spoofing links an attacker’s MAC address to a legitimate IP address on a local network, enabling [man-in-the-middle] interception.
- Website spoofing – creating convincing replicas of legitimate sites – is commonly used to harvest credentials from unsuspecting users.
Spoofing attacks are typically a means to an end rather than an end in themselves, serving as a precursor to data theft, session hijacking, malware delivery, or unauthorized access.
Defenses are correspondingly varied and layer-specific:
- email authentication standards such as SPF, DKIM, and DMARC make sender forgery detectable and rejectable;
- DNSSEC adds cryptographic validation to DNS responses;
- TLS certificates allow clients to verify the identity of web servers;
- and network-level ingress and egress filtering can block packets with forged source addresses from entering or leaving a network.
At the application level, strong authentication mechanisms – particularly those that do not rely solely on network-level identity signals such as IP addresses – are the primary mitigation.